Dealing with BYOD (countermeasures)

BYOD is no longer just a trend, it’s here and with the saving in equipment costs, company’s can make it is here to stay. Company’s should embrace it, for not only equipment savings but more productivity while staff are mobile, working from home during bad weather spells etc. But, unlike any other technology, BYOD is not without risks and is evolving.

To give a blank cheque to user (free gratis) implies the risks. Network managers fear the struggle to protect their information assets through consistent application of security policies even on devices owned by them.

Defiant users, “Oh I use a mac, they don’t get Virus’s” or “no I don’t run an antivirus, it slows down the system” need addressing and educating. Although Virus intrusion is the big fear, malware is more prevalent. Giving up the address contents of the company mailbox to malware results in more spam to be dealt with, along with your customers sharing the experience.

The business requirements, end user experience, and general employee friendly policies, appear to trample over security risks especially when there are so many devices and requirements being pushed at the network.

Accepting risks approach is running with scissors and leaves more holes to network and data access unless monitored

Maintain control

Maintaining control over enterprise-owned devices is a must to be able to ward off potential threats and evaluate BYOD risks constantly. A BYOD brings in an additional attack surface and a vector, which is growing in size in terms of likelihood of threats and impact from such threats.

Just multiply threats by the number of BYODs. Bringing One’s Own Risks is very well over and above other risks enterprises have been trying to stay ahead of. BYODs pose a huge security challenge, no doubt.

There are a few steps, which even small enterprises can take, provided the infrastructure supports.

  1. Employee Self Service to corporate information resources should always be done through domain authentication. Using the turn style technique, you at least know who opened the door to access, and can attempt to trace the source.
  2. Don’t the users on the LAN directly, set up a VLAN (Virtual Local Area Network) for BYODs and make use of ACLs (Access Control List) as an additional layer in Network Defense
  3. BYOD access via the company wireless network, ensure that the users authenticate themselves, always use wireless encryption (straight p2p vpn is becoming phased out slowly) Use of DHCP (Dynamic Host Control Protocol) it throttles access to allow only policy-permitted IP addresses, so Fred with his new shiny tablet, won’t be allowed on until IT check and register the equipment, and then can grant access. This can be taken further pinpointing BYOD equipment better by means of MAC address of BYODs
  4. Email infrastructure such as an on-premise Microsoft Exchange or an Office365 infrastructure can help enforce an MDM (Mobile Device Management) capabilities through a mailbox policy a. Limit retention of emails, most used application on most BYOD b. Limit email attachment sizes c. Require a password to access the mail and device d. Enforce encryption on device storage as well as removable storage cards e. Be in the know by keeping a tab on all devices that connect to your Email application and a few more controls
  5.  When a BYOD is within a corporation, one can subject them to the scrutiny by the network firewalls, IPS/IDS (Intrusion Prevention/Detection System) and leveraging on web content screening and filtering (Uniform Resource Locator).